Overview
UNIX
64-bit
Networking
Open Directory
File system
Security controls
Xgrid
Mac OS X Server is built on an advanced architecture to deliver the features you want with the security you need. It’s designed to protect your server, your network and your data with a host of features — including built-in firewall with stateful packet analysis, strong encryption and authentication services, data security architectures and support for access control lists.
Security standards.
Trusted by security experts around the world, industry-standard security protocols support all aspects of system, data and networking security required by today’s applications.
Kerberos for single sign-on.
Mac OS X Server integrates MIT’s Kerberos technology to enable single sign-on in both Apple Open Directory and Microsoft Active Directory environments.
SSH (Secure Shell).
Mac OS X Server uses OpenSSH as its default protocol for secure remote server setup and administration. SSH encrypts remote command-line traffic, including passwords, to effectively eliminate eavesdropping, connection hijacking and other network-level attacks that plague rlogin and telnet connections. Mac OS X Server includes the full suite of OpenSSH client and server functionality, including SSH for command execution, SFTP for file transfer and SCP for file copies.
SSL/TLS.
Mac OS X Server integrates Secure Sockets Layer (SSL), today’s most common transport mechanism and Transport Layer Security (TLS), the next-generation security standard for the Internet. The core server operating system and many network services, including Apache, OpenLDAP, Postfix and Cyrus, use these transport layer mechanisms to provide a secure, 128-bit encrypted channel between two systems and to protect the information in the channel from eavesdroppers. For secure authenticated communications, Mac OS X Server can use X.509 digital certificates to verify a server’s authenticity on the Internet or local area network.
CDSA (Common Data Security Architecture).
Mac OS X Server uses CDSA, an open standard from the Open Group. CDSA provides a layered set of security services and a cryptographic framework for creating security-enabled applications, including support for SSL versions 2 and 3 and TLS version 1. Apple’s CDSA architecture also integrates OpenSSL, a security library for use by legacy open source applications, as well as the Linux Pluggable Authentication Modules (PAMs), allowing UNIX applications to access CDSA services through a PAM API.
Access control lists (ACLs).
Mac OS X Server supports the native rich file permissions of Mac OS X and Windows. Access control lists (ACLs) give administrators fine-grained control over server settings and permissions, protecting applications and data from unauthorized use and modification.
File system access.
Mac OS X Server supports both traditional UNIX file permissions and ACLs, offering administrators an unprecedented level of control over file and folder permissions. Most UNIX- and Linux-based operating systems are constrained by the UNIX file permissions model, also known as Standard Portable Operating System Interface (POSIX) permissions. Standard UNIX file permissions allow you to assign one access privilege to the file’s owner, one to a group and one to everyone on the network. Multiple users and multiple groups are not allowed, nor is ownership by a group.
The traditional UNIX model also lacks other important file access features: It supports only three permissions — read, write and execute — and does not support permission inheritance, which enables new or copied files to automatically inherit the access controls of the parent directory.
To provide flexibility in complex computing environments, Mac OS X Server includes support for ACLs. With file system ACLs, any file object can be assigned multiple users and groups, including groups within groups. Each file object can also be assigned both allow and deny permissions, as well as a granular set of permissions for administrative control, read, write and delete operations. For added security, Mac OS X Server supports a file permission inheritance model, ensuring that user permissions are inherited when files are moved to the server and rewritten when files are copied to the server.
Service access.
Service access control lists (SACLs) provide a simple way for server administrators to specify which users and groups can access different services. For example, an administrator can configure a workgroup file server bound to a huge centralized directory to accept connections only from users who are in the workgroup. This capability is increasingly critical, as more sites are moving to a centralized directory system. All the user-based Mac OS X Server services support SACLs.
Firewall.
Similar to erecting a wall that restricts access, firewall software protects network applications running on Mac OS X Server. Using the reliable, open source IPFW software from FreeBSD, the firewall in Mac OS X Server scans incoming IP packets and rejects or accepts them based on the filters you set. You can restrict access to any IP service running on the server and you can customize filters for all incoming clients or for a range of client IP addresses. To prevent IP address spoofing, the firewall software provides stateful packet inspection, which determines whether an incoming packet is a legitimate response to an outgoing request or part of an ongoing session.
